A buffer overflow in the XNU kernel (opens in new tab)

(jprx.io)

146 pointsjprx1y ago35 comments

35 comments

lgdskhglsa1y ago

In case people missed it, the name of the exploit is a blink 182 song released around the time it was discovered.

jprxOP1y ago

You get it!!

lgdskhglsa1y ago

It's my favorite song of the album :)

bartvk1y ago

If you're still running the affected kernel, what are the possible consequences?

Also, this has been public for months:

- February 17, 2024: I posted the hash of TURPENTINE.c to X on Feb 17, 2024.

- May 13, 2024: macOS Sonoma 14.5 (23F79) shipped with xnu-10063.121.3, the first public release containing a fix.

axoltl1y ago

The syscalls involved are in a lot of sandboxes, so worst (or best, depending on your point of view) case scenario it's a pretty universal privesc. There's a lot of steps to get there though. I'm not super familiar with the mbuf subsystem specifically but I'm going to guess mbufs are in their own allocator zone. That means you're guaranteed to overwrite an adjacent m_hdr structure. Those contains pointers that form a linked list and at first glance I don't see linked list hardening or zone checks in the MBUF macros. One could envision being able to turn this bug into a kASLR leak as well as a kernel r/w primitive and while that isn't the silver bullet it used to be on XNU (because of a whole host of hardening Apple put in) it's still pretty powerful.

TheDong1y ago

> Also, this has been public for months:

Posting the hash to twitter as a proof that "something" exists reveals no actual information, so it's not considered making the exploit "public" in any meaningful way.

From the blog's timeline, it's been visible in code diffs since ~April, but only called out as a CVE since 10 days ago, so I'd consider this one hot off the presses.

j / k navigate · click thread line to collapse

35 comments

lgdskhglsa1y ago

In case people missed it, the name of the exploit is a blink 182 song released around the time it was discovered.

jprxOP1y ago

You get it!!

lgdskhglsa1y ago

It's my favorite song of the album :)

bartvk1y ago

If you're still running the affected kernel, what are the possible consequences?

Also, this has been public for months:

- February 17, 2024: I posted the hash of TURPENTINE.c to X on Feb 17, 2024.

- May 13, 2024: macOS Sonoma 14.5 (23F79) shipped with xnu-10063.121.3, the first public release containing a fix.

axoltl1y ago

TheDong1y ago

> Also, this has been public for months:

Posting the hash to twitter as a proof that "something" exists reveals no actual information, so it's not considered making the exploit "public" in any meaningful way.

From the blog's timeline, it's been visible in code diffs since ~April, but only called out as a CVE since 10 days ago, so I'd consider this one hot off the presses.

j / k navigate · click thread line to collapse